Transcript
Data SecurityPresenterMuhammad Ghazanfar UllahHead, Computer Systems Engineering.Usman Institute of Technology
Agenda of Presentation
About Data Security Security Measures Policies and Principles Technology and Threats
Security
Security
For some, it is just a concept; its about peace of mind and reassurance. It's about knowing that there is something you can rely on, something that you can turn to when there is a problem. Having a feeling of security brings you a sense of confidence and security for the future.
For others, security means protection against something or someone. It provides a defence for people and property; safeguarding a precious investment or something that is cherished.
Data
Data
While carrying out an investigation about 'ourselves', a child writes 'brown' under the heading 'hair color', this is data about that child. This data becomes information when it is used to inform in some way, for example, when the data is combined with the heading and presented as a statement - 'Jane has brown hair'.
Data can take many forms. It might be numerical data of room temperatures, words relating to a particular subject such as flowers, or sounds or images collected to illustrate a presentation. It could even be imaginary data created by children, about characters in their drama, for example.
Computers and Data
Information
Most Valuable Resource
Five main Resources Personnel Material Machines
(including facilities and energy)
Money Information (and data)
PhysicalPhysical
ConceptualConceptual}
}
Computers and Data
Many large organizations use computers to store important data (information). Large companies, government departments, colleges and hospitals all keep important information, for example, employee records and wages, patient or student records and accounts.
Why?
1. Efficiency2. Accuracy3. Capacity4. Sharing and Transmission etc.
Computers and Data
2002 2003 2004
North America 212.6 222.8 234.4
Latin America 25.6 32.6 43.7
Europe 163.5 195.5 224.8
Africa/ME 9.2 10.7 11.5
Asia/Pacific 151.2 203.6 238.1
Total 562.3 665.4 752.6
Computer Users
Computers and Data
Computers and Data
The proliferation of computers.2-3 w/LAN per household is not unusual.
The geographical expansion of networks.44 million plus hosts 650,000 plus Web sites800 Million plus Internet users by the end of 2008.
The dramatic rise in computer literacy.The dependence of organizations upon the infrastructure.
ECommerce is expected to be between 8 and 13 Trillion dollars by 2008.
The dependence of organizations upon Information.
How Did We Get Here?
Computers and Data
Sensitive Information
Sensitive information is any information stored on your computer that you would hate to have fall into the wrong hands. This could be personal information, employee information, trade secrets, etc. It is the ramifications that are the concern.
Is your Information Sensitive?1. What would happen if your competitor had a copy of a
spreadsheet file containing your short and long term sales strategy?
2. What would happen if personnel records became public knowledge within your organization?
3. What would happen if your customer database was copied and sold? Does it contain information that you are ultimately liable for?
4. What would happen if someone made copies of your archived personal email messages? Could they somehow use this against you?
5. What could a resourceful private detective and a cunning lawyer do with information on your computer?
Computers and Data
Data Security
Data SecurityThere are two problems with keeping this information on computers. The first problem is information can be lost through technical or human error.
The second problem is that some information is confidential - only certain people should see it. These people can be described as ‘authorized users’ and the people who shouldn’t see this information as ‘unauthorized users’.
Security Services
1. Secrecy
2. Integrity
3. Availability
4. Authenticity
5. Non-repudiation
6. Access control
Secrecy (Confidentiality)
Secrecy requires that the information in a computer system only be accessible for reading by authorized parties.
This type of access includes: Printing Displaying Other forms of disclosure, including simply revealing
the existing of an object
Integrity Integrity requires that the computer system asset can
be modified only by authorized parties. Modification includes:
Writing Changing Changing status Deleting and Creating
Availability
Availability requires that computer system assets are available to authorized parties.
Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users.
Security of Data
Data
Confidentiality
Data
Integrity
Data
Availability
Secure Data
Data
Authenticity Authenticity means that parties in a information services
can ascertain the identity of parties trying to access information services.
Also means that the origin of the message is certain. Therefore two types:
Principal Authentication Message Authentication
Non-Repudiation
Originator of communications can’t deny it later. Without non-repudiation you could place an order for 1
million dollars of equipment online and then simply deny it later.
Or you could send an email inviting a friend to the dinner and then disclaim it later.
Non-repudiation associates the identity of the originator with the transaction in a non-deniable way.
Access Control
Unauthorized users are kept out of the system. Unauthorized users are kept out of places on the
system/disk. Typically makes use of Directories or Access Control
Lists (ACLs) or Access Control Matrix Objects: Resources that need to be protected Subjects: Entities that need access to resources Rights: Permissions Each entry is a triple <subject, object, rights>
The Threats to Security
Types Natural Events and Accidents
Blunders, Errors and Omissions
Insiders
Recreational Hackers
Criminal Activity
Industrial Espionage
Terrorism
National Intelligence
Information Warfare
Typical Threats
NATURAL DISASTERSFiresEarthquakesHurricanesTornadoesFloods
PEOPLEHackersCriminalsInsiders
ACCIDENTSPower SwitchWater PipesAir ConditioningAir HumiditySparks
Insiders
Managers. Contractors. Business Partners. Former Employees. Present Employees. Disgruntled Employees. System Administrators. Network Administrators.
Outsiders
Hackers.Virus Writers.Criminals.
Corporate Espionage.Identity Theft.Internet Fraud.
Terrorist.Foreign Intelligence Services.Foreign Military (Information Warfare).
The Attacks
Attack
Attack is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Interruption Interception Modification Fabrication
Types of Attacks
Quiz????
Modification is the Attack on which Service? Fabrication is the attack on which service
Classification of attacks
Computer Security attacks can be classified into two broad categories: Passive Attacks can only observe communications or
data. Active Attacks can actively modify communications or
data. Often difficult to perform, but very powerful. Examples include
Mail forgery/modificationTCP/IP spoofing/session hijacking
The Technology
A Security Model
Firewalls and Security Gateways are based on this model
Encryption
Encryption
Encryption can be used to provide Confidentiality, Integrity, Authentication and Non-Repudiation.
There are four major cryptographic functions you should be familiar with:
Symmetric Cryptography
The first is Symmetric Cryptography uses the same key for both encryption and decryption. Examples are:
1. Data Encryption Standard (DES) (56 bits)2. Triple DES (3DES) 112 bits)3. International Data Encryption Algorithm (IDEA) 128 bits).4. Rivest Cipher (RC4) variable length key).5. Advanced Encryption Standard (AES-Rjindahl)(variable Key
length)
Encryption Contd. The second is Asymmetric Cryptography which uses two Keys, a Public and a Private key. One key is used for encrypting/signing while the other is used for decrypting/verifying. Examples are:
Diffie - Hellman. Rivest, Shamir and Adleman (RSA). Digital Signature Algorithm (DSA/El Gamal). Elliptic Curve Cryptosystem (ECC).
These are trapdoor one-way functions that are easy to compute in one direction but very difficult to compute in the other.
They are much slower than symmetric algorithms and are not practical for encrypting/decrypting large amounts of data.
They are normally used for exchanging session keys (Private Keys) for symmetric algorithms
Encryption Contd The third is Hash Functions which are used to condense a variable length messages in a fixed-length code. This code is called a Hash or Message Digest (MD). Examples are:
Message Digest (MD5) (128 bits)
Secure Hash Algorithm (SH-1) (160 bits)
Haval (variable length)
Hashs are cryptographic checksums used to provide integrity checks on messages or files.
They are one-way functions and its is not mathematically feasible to create the original message(at least not yet).
A Digital Signature is created by computing the Hash then encrypting the hash with the sender's Private Key.
Encryption Contd.
The fourth is Public Key Certificates which provide a means of distributing Public Keys.
These public keys are used to support Authentication, Integrity and Confidentiality for such functions as Web transactions, Email and IPSec.
Public Key Infrastructure (PKI) provides a means for
Generating keys,
Signing Certificates (Certificate Authority (CA)) and establishing
Certificate Revocation (Certificate Revocation Lists (CRL))
Encryption Issues
Cryptanalysis Attacks
Brute Force Attack (Keyspace Search).
Known Plaintext.
Linear/Differential Analysis.
Weak Protocols (man in the Middle Attack).
Surrounding System
Encryption does not provide perimeter security.
Encryption Contd.
Recommendation: Employ a perimeter defense with encryption.
Security Policies
Policy Goals
Goal 1 - To define the organization's expectation with regard to the proper use of computers and networks
Goal 2 - To define how the organization will respond to a security incident.
The policy must conform to existing policies, rules, regulations and laws.
The policy should be developed by both technical and management personnel
A policy must be both implementable and enforceable.The policy must ensure that everyone knows their responsibility for maintaining security.
Prevention is the key to security.
Security Policy Philosophy There are four basic security philosophies around which an
organization can construct a security policy. Paranoid: Nothing is allowed(no external connections) - The organization has
been hacked and its paranoid. Cautious: That which is not explicitly permitted is not allowed. The default
policy is to deny. Optimistic: That which is not explicitly prohibited is allowed. The default
policy is to allow. Open: Everything is allowed. This organization has not been hacked.
NOTE: Instructor's recommendation: BE CAUTIOUS. The correct philosophy will depend upon the organization. The
following criteria should be employed in establishing your policy. Risks - How much Risk is management willing to accept? Cost - How much money is management willing to expend based upon the
risks? Operations - What is the proper balance between risk, cost and operations? Culture - What is your organization's value system with regard to personal
communications? Legal - What are your legal requirements to customers, employees, state,
etc.?
Security Policy Philosophy Contd. Organizational Security policies, standards, guidelines and
procedures must be driven by senior management. Senior management must believe in the value of security. Senior management must support security through their actions. Senior management must conform to the same rules and regulations. Users must believe that security has the support of senior management.
Organizational security policies should be designed to support Information.
Proprietary informationCustomer information.DatabasesElectronic Mail.All electronic or paper information.
Risk can be reduced but never eliminated.No matter how much time and effort you spend to secure your computer or
network, it can always be broken into. Given enough time, resources, money and motivation any system can
be had.
Policy Thoughts
The following are decisions that determines an organization's security posture.
Who is allowed to use the resources? What is the proper use of those resources?What is being protected?Why is it being protected?Who has responsibility for protecting these resources?What are the rights and responsibilities of the users? The System Administrator? The Network Manager?
Who/How is the organization to interpret and resolve security conflicts?
Policy Thoughts
Policy
Standards
Guidelines
Rules
Philosophy of protection
Goals of protection
Task to Accomplish Goal
To implement Tasks in Firewalls/IDS
Level 1
Level 2
Level 3
Level 4
Thankyou!
top related